Thousands of active WordPress plugins have been hit with a swathe of cross-site scripting (XSS) vulnerabilities that could give attackers complete control of sites. One of the affected plugins was designed to work with the popular WordPress ecommerce system WooCommerce.
Researchers at NinTechNet found a vulnerability in the WordPress Flexible Checkout Fields for WooCommerce plugin, which enhances the popular WordPress ecommerce system with the ability to configure custom checkout fields using a simple user interface.
The flaw, which the authors at WPDesk subsequently blogged about, enabled attackers to add two custom fields to the Billing and Shipping sections of a WooCommerce page. These inject a script that, once run, enables the creation of four new administrative accounts using predefined email addresses. An existing site admin would have to visit either the plugin configuration screen or the checkout page for these accounts to be set up.
At this point, the infected site would also download a zip file and store it in the site’s content upload section, extracting PHP pages from it and installing them in the plugin section as
WordPress firewall and malware scanning company Wordfence rated this vulnerability as critical in its own blog post. It added that the exploit was possible due to an XSS flaw on the pages accessed by the site admin. It happened because the site didn’t check authentication for
updateSettingsAction, a function that hooked into
admin_init. This contains code that runs whenever an admin page is loaded, including those that don’t require authentication. Wordfence’s researchers said:
admin_init. Like the first bug, it runs on pages that don’t require authentication. It also runs for some front-of-site visitors, Wordfence added.
The final bug affected the Modern Events Calendar Lite plugin, which helps people manage events. This plugin uses several actions for logged-in users with low privileges that manipulate settings data. Attackers have been injecting XSS code to target admin pages and create rogue accounts for themselves, Wordfence said. It was also possible to hit the front page of an affected site to affect visitors, it added.
Anyone using these plugins should patch immediately using the blogging software’s built-in update system or by visiting the plugins’ download pages.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.